CVE-2025-61145
Double Free Vulnerability in libtiff tiffcrop.c Causes Crash
Publication date: 2026-02-23
Last updated on: 2026-02-25
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| libtiff | libtiff | to 4.7.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-415 | The product calls free() twice on the same memory address. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-61145 is a double free vulnerability found in the libtiff library, specifically in the component tools/tiffcrop.c up to version 4.7.1.
A double free occurs when the same memory is freed more than once, which can lead to memory corruption.
This vulnerability was identified in the code around line 2931 of tools/tiffcrop.c, with the memory allocation happening at line 709.
How can this vulnerability impact me? :
This double free vulnerability can cause memory corruption, which may lead to a crash or denial of service in applications using libtiff.
Additionally, it could potentially allow an attacker to execute arbitrary code by exploiting the corrupted memory state.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability is a double free in the libtiff tool tiffcrop.c component. Detection would involve checking the version of libtiff installed on your system to see if it is up to and including version 4.7.1, which is affected.
Since this is a memory corruption issue in a specific tool, direct network detection commands are not applicable. Instead, you can verify the version of libtiff installed using commands like:
- On Linux: `tiffcrop -v` or `tiffinfo -v` to check the version of libtiff tools.
- Alternatively, check the package version with your package manager, for example: `dpkg -l | grep libtiff` on Debian-based systems or `rpm -q libtiff` on RedHat-based systems.
For runtime detection of crashes or abnormal behavior related to this vulnerability, monitoring application logs or running the tiffcrop tool with test TIFF files and checking for crashes or memory errors (e.g., using tools like Valgrind) may help identify the issue.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update libtiff to a version that includes the fix for this vulnerability. The fix was merged into the master branch on September 5, 2025, and addresses the double-free and memory leak issues.
If updating is not immediately possible, avoid using the vulnerable tiffcrop tool or any functionality that triggers the vulnerable code path.
Monitor for any patches or updates from your operating system or libtiff maintainers and apply them as soon as they become available.